Protect custom form from SQL injection

Yes, $wpdb->update is sufficient protection. You should not escape or prepare the data.

From the documentation of wpdb:

data (array) Data to update (in column => value pairs). Both $data
columns and $data values should be “raw” (neither should be SQL
escaped). This means that if you are using GET or POST data you may
need to use stripslashes() to avoid slashes ending up in the database.

As a side note, you can help wordpress better understand the content to prepare for the database by including format and where_format in your update call.

$uptable = $mydb->update(
    'table',
    $updatevalues,
    $where_data,
    $data_format, // '%d' for numbers, '%s' for strings, can be an array
    $where_format // Same here
);

Update: In reply to your comment:

It depends on the data you are saving and its purpose.

Your next step after SQL injection is to prevent XSS attacks. This is where a user is able to enter malicious Javascript into your text field, and the database saves it and then your site happens to display it to other users.

While this can be prevented by using esc_html() when displaying the content from the database, it’s better not to have that stuff in the database in the first place!

As for the code to do this, it would look like this:

$user_value = stripslashes($_POST['user_value']);
$user_value = sanitize_text_field($user_value);
$user_data = array('table_column' => $user_value);
$user_format = array('%s'); // Means $user_value is a string
$where_data = array('id' => 5); // example
$where_format = array('%d'); // Means 'id' is a number
$mydb->update(
    'table',
    $user_data,
    $where_data,
    $user_format,
    $where_format
);

And if you only want that data to be alpha numeric, you could wrap the code after stripslashes with if(ctype_alnum($user_value)). Ultimately you only want the exact data you need and nothing more.

Hope that helps!

Related Posts:

  1. How to use $wpdb to delete in a custom table
  2. get_results on large datasets
  3. Is there a (better) way to access $wpdb results?
  4. Using $wpdb generates DB error
  5. How do you use prepare when asking for a list of id’s
  6. how to execute different sql query in non-sanitized $wpdb->get_results function
  7. WPDB update row with != in where clause
  8. How to update records using $wpdb?
  9. Need help writing a $wpdb query
  10. show badge with count for pending items in custom post type
  11. WP Sql query multiple where clause
  12. WordPress SQL query – returning ‘true’ ‘false’ or ‘null’
  13. Modify the structure of data returned by $wpdb
  14. Syntax for $wpdb->prepare when searching in two columns
  15. Confused by $wpdb->prepare
  16. How to display user_nicename and usermeta values by custom query in WordPress?
  17. Optimizing WordPress Queries – Removing Group By ID
  18. How can I combine one field using wpdb and group by?
  19. $wpdb->prepare with ON DUPLICATE KEY UPDATE
  20. how to use $wpdb->prepare to update a custom table
  21. WPDB Placeholders and second argument for prepared statements
  22. Increment integer field in database when WHERE needs to be dynamic [closed]
  23. Custom SQL query ORDER BY term_order
  24. Custom $wpdb returns unexpected time based results
  25. How to left join meta in queries [closed]
  26. wpdb->get_row is selecting the variable as a column name
  27. CREATE TABLE with dbDelta does not create table
  28. $wpdb query outputs php code instead of executing it
  29. wpdb query not working
  30. WordPress wpdb->insert returns int(0) => doesn’t insert anything, no errors!
  31. WPDB SQL Ignore `post_status` Parameter
  32. how to list all post that are in the custom taxonomy using $wpdb
  33. WPDB SQL query SELECT from category
  34. How to use WHERE NOT EXISTS query to avoid duplicate entry using $wpdb to save in custom table?
  35. Creating an Angular factory from custom database table
  36. wpdb->update update the entire table instead of one row
  37. How do I update post based on meta_key in another table?
  38. How to set up prepared query using IN statement
  39. Custom database query to validate data
  40. Alter the main search query to search posts by coauthor user name
  41. Creates only one table and not the other
  42. looking for a way to allow users to backup the plugin db data(save as)
  43. SQL Query to select post title & post ID from a particular category
  44. Get comments after specific date
  45. query using wpdb in wordpress gets me no result
  46. Get count of rows based if column exists in two different tables
  47. query_vars doesn’t return query string (trying to get data from $wpdb)
  48. Fetch array with $wpdb
  49. $wpdb->get_results(…) returns empty array despite correct query
  50. SELECT max(meta_value) FROM wp_postmeta WHERE meta_key=’price’… stops working when value is over 999
  51. Theoretical Multi-Server WordPress Setup with Shared Users
  52. Inserting Post Meta From SQL
  53. WordPress insert NOW() in TIMESTAMP column returns all zeros
  54. $wpdb prepare issue with mysql DATE_FORMAT
  55. How-To: wpdb Insert Record With Date
  56. How to pass NULL in where array for $wpdb->update
  57. Get WooCommerce product attribute taxonomies in a SQL query on WordPress database
  58. Get random row from custom table
  59. store custom WP table names in a global variable
  60. I am not understandinhg $wpdb->prepare correctly
  61. Using WPDB class
  62. Problem displaying inserted form
  63. What is _transient_random_seed for?
  64. wpdb get_results() and prepare when to use prepare?
  65. Foreach loop using $wpdb not results from rows
  66. What’s the proper way to add users to my site in order to test things?
  67. Q: How to pull data from custom table to populate zustomizer setting/control select options
  68. Code only works every other time its run
  69. I can’t figure out what’s wrong with this statement. $wpdb->query update
  70. Can’t pass variable in wordpress wpdb->get_results
  71. How do I count columns on a custom WPDB query?
  72. Trouble inserting string containing quotations marks with wpdb in save_post hook
  73. How can I add a new row in a separate database when someone registers via WordPress?
  74. Clear Terms from Taxonomy for Specific Post IDs?
  75. $wpdb->insert() doesnt work anymore
  76. Where can I see MySQL hostname and port for wp-config.php
  77. $wpdb->get_results not returning an array
  78. WPDB Query Question with Category Only
  79. wpdb result arrray inside an array
  80. Fetching review value using wpdb class
  81. $wpdb->num_rows doesn’t work
  82. How can I change my meta_query to SQL wpdb query?
  83. Database SQL query error
  84. How capturate wpdb exceptions?
  85. Limit left join
  86. Get records from Formidable Table using $wpdb->get_col
  87. What argument does my function need to echo get_results() query results
  88. Missing argument 2 for wpdb::prepare() [duplicate]
  89. Save customizer default values to DB on theme activation
  90. Plugin with connection to database – Single function
  91. why nl2br() is adding an extra ?
  92. How to add more custom fields in user meta table simultaneously
  93. get unserialized array without using get_option()
  94. Create Table Failed Column Date DateType
  95. Checking if meta_value exists for any user
  96. Can you create a new wpdb that connects to an SQL (not MYSQL) database? [duplicate]
  97. Get all the related data from WordPress DB
  98. How do I change the datetime format from ( ‘y-m-d’ ) to ( ‘d m y’ ) [closed]
  99. WP Recommended Table Exclusions?
  100. Can’t send form data to wpdb when URL has query string